The international payment brands MasterCard, Visa, and Europay agreed in 1993 to work together to develop specifications for the use of smart cards in payment cards used as either a debit or a credit card and later as electronic purses. The first version of the EMV system was released in 1994. In 1998 a stable release of the specifications was available. The specification has been upgraded in 2000 and 2004. With the exception of the United States there has been significant progress in the deployment of EMV-compliant point of service or point-of sale equipment and the issuance of debit and or credit cards adhering to the EMV specifications. EMV-compliant point of service or point-of sale equipment is able to accept and read smart cards.
Smart cards with contactless interfaces are becoming increasingly popular for payment and ticketing applications. An easy-to-implement version is currently being deployed in the USA. Use of wireless communications in completing transactions increases the difficulty of maintaining confidential information, such as PIN codes.
A quickly growing application is in digital identification cards. In this application, the cards are used for authentication of identity. The most common example is in conjunction with a public key infrastructure. The smart card will store a digital certificate issued from the public key infrastructure along with any other relevant or needed information about the card holder. When combined with biometrics, smart cards can provide two- or three-factor authentication and can enhance privacy.
Smart cards are considered suitable for these tasks, because they are engineered to be tamper resistant. The embedded chip of a smart card usually implements some cryptographic algorithm.
Many problems exist in current methods of issuance and use of credit card, debit card, electronic purse cards or the like and examples of such problems include:                a) Fraud at non-EMV terminals such as skimming attack. Such terminals read the card's magnetic stripe and are not equipped to interact with chip-cards (integrated-circuit-cards) that for example conform to the EMV (Europay MasterCard Visa) standard. Skimming attack frauds occur when the card's magnetic stripe is recorded and the user's PIN is recorded by electronic or visual means such as a camera near to the PIN-pad.        b) No Cardholder Verification Method (CVM) at EMV CAT level 2 and level 3 transactions: in such cases transaction value limits have to be small and small frauds may occur. All EMV CAT level 2 terminal is an EMV Cardholder Activated Terminal that has no PIN-pad and which may go online to the issuer. An EMV CAT level 3 terminal is an EMV Cardholder Activated Terminal that has no PIN-pad and is off-line only.        c) Contactless card transactions that maintain the ‘Tap & Go’ convenience and speed do not require a PIN (Personal Identification Number) to be entered to authenticate the account user and therefore have low transaction limits.        d) Terminal costs increase when particular security measures are used such as encrypted PIN-pad, Secure Application Module (SAM) for proprietary encrypted off-line PIN and secure chip-card readers.        e) Network operation costs are high due to security requirements for encrypted online PIN verification.        f) Cardholder's interaction time at a point-of-service is long due to a requirement to type-in a PIN.        g) Fraud occurs in active attacks on contactless cards. Such attacks are sometimes referred to in the literature as “electronic pick-pocketing and re-presentment”, “re-play” or even “pre-play attacks”. A pre-play attack is one where legitimate authentication data is submitted by the attacker before the legitimate user submits it, therefore getting the authorised services and causing the legitimate user to be denied access. The hacker may mount a fraudulent contactless transaction by approaching the Cardholder's pocket with a battery powered proximity reader that can trigger a contactless payment transaction response from the payment card or device or the proximity reader may be modified by a dishonest merchant or their clerk to fetch information from the proximity card/device for more than the current transaction.        h) High costs are incurred to achieve security for off-line payment methods that require cardholder to key-in a PIN into a transaction terminal. An example high-cost security method requires a physically secured chip card reader so that a person attempting fraud cannot physically tap the ISO7816/EMV Level 1 interface and record the PIN; this increases the cost of the transaction terminal. A second example high-cost security method requires an off-line encrypted PIN which is a logically protected channel with RSA encryption so that a person attempting fraud cannot read the PIN from the digital envelope when weak physical security exists; this increases the cost of the chip-card which must include a crypto-processor. This is usually the cryptographic method used when interoperability is a requirement, as in the case of EMV, or when the use of a Secure Application Module (SAM) in the transaction terminal for implementing a proprietary encrypted off-line PIN method is deemed prohibitive due to cost and operational complexity.        i) Low security exists with LVP (low value payment) cards since there is no cardholder verification method. People other than the eligible Cardholder can use a lost or stolen card until the available balance on the card is depleted. LVP cards are otherwise often known as e-purse or electronic purse cards. Security could be provided by requiring the use of PIN at any point-of-service, however many LVP service providers such as for vending machines and parking meters for example will not bear the extra cost to support secure PIN entry on their transaction terminals.        
WO 2006/053191 describes the use of dynamic codes instead of PIN codes. This increases the security especially when the dynamic code is only used once. However, the complexity of the network is not reduced as the dynamic code is sent through the network and treated in the same way as a PIN code.